Bna.com

Detailed Table of Contents
Chapter 1.
The E-Health Explosion—An Analysis of Legal
and Market Trends. 1 1
III. Growth of the E-Health Industry . 3 2 1. Government and Venture Capital Investment in 2. Recent E-Health Merger and Acquisition IV. Privacy Concerns and Enforcement . 15 6 Chapter 2.
E-Health Industry Overview . 19 9
A. Traditional Health Care Delivery Model . 21 — B. E-Health’s Underlying Technology . 23 — C. Participants in E-Health Industry . 23 — E-Health, Privacy, and Security Law—2013 Supp. 4. Vendors of Health Information Technology . 26 — D. E-Health Business Industry Models . 27 — E. State of Electronic Health Records Adoption . 28 — G. Challenges Confronting E-Health . 30 — III. Government Role in E-Health . 30 — A. HITECH Act and Health Care Reform . 30 — B. EHR, E-Prescribing Incentives, and Key Regulations . 33 — IV. E-Health Improvement to Health Care Delivery. 36 — Chapter 3.
Health Information Technology . 43 11
II. Government Health Information Technology Initiatives . 44 — III. Development of Standards for Electronic Health Records . 46 — A. Standards Development for Electronic Health Records . 46 — B. Barriers to Adoption of Electronic Health Records . 50 — IV. Health Information Exchanges . 51 — B. Lessons Learned From Early RHIO Efforts . 53 — C. RHIO Technology Providers Are Fragmented . 56 — V. Accountable Care Organizations . 56 — VI. Analysis of Health Care Data to Support Improvements and A. Data Aggregation for Analysis . 57 —
C. Interoperability and the Aggregation of Data . 59 — D. Risks of Electronic Health Care Data . 60 — Chapter 4.
Privacy, PHRs, and Social Media . 63 13
II. What Is a Personal Health Record? . 64 — A. Paradigm Shift to Electronic Health Records B. Market Forces Spurring the Use of Electronic Personal C. Web 2.0—What Is Social Media? [Substitute Text] . — 16 C. PHRs Distinguished From EMRs and EHRs . 70 — V. Unique Risks Associated With Internet-Based PHRs . 72 17 VI. Federal Privacy and Breach Notification Protections of 1. HIPAA Entities [Substitute Text] . — 18 2. Privacy Protection for Non-HIPAA Vendor 1. HIPAA Breach Notification Rule . 76 — b. Did the Breach Cause Threshold Harm? . 77 — c. To Whom Must the Breach Be Reported, and 2. HITECH Health Breach Notification Rule for b. To Whom Must the Breach Be Reported, and v. Third-Party Service Providers . 80 — C. Content of Notice of Disclosure . 80 — D. Dual Reporting Obligations Under HIPAA Breach Notification Rule and Health Breach Notification Rule . 81 — A. Confidentiality of Patient Medical Records . 81 — B. State Breach Notification Statutes . 82 — VIII. Conclusion and Recommendations . 82 — Chapter 5.
Privacy Issues in U.S. Health Care . 85 21
A. Privacy Laws and Standards—Domestic and 3. Scope of Constitutional Protection . 89 — 1. Protection of Specified Health Information . 90 — 2. Protection of Specified Groups . 92 — a. Children’s Online Privacy Protection Act of E-Health, Privacy, and Security Law—2013 Supp. 3. Protection of Specific Segments of the Health Care c. Health Insurance Portability and Accountability Act of 1996—Privacy Regulations . 95 — iii. “Minimum Necessary” Standard. 102 — iv. De-Identified Information and Limited d. Health Information Technology for Economic and Clinical Health (HITECH) Act . 107 — i. Summary of Subtitles A, B, and C . 107 — ii. Subtitle D—Amendments to HIPAA’s (b) Breach and Notification of Breach. 111 — (d) Changes to Individual Rights Granted (e) Changes to Marketing and Fundraising (f) Prohibition on the Sale or Marketing of (HIPAA Omnibus Rule) [New Topic] . — 23 i. Individual Rights [New Topic] . — 25 (b) Sale of Protected Health Information iii. Business Associates [New Topic] . — 28 III. State Privacy Protections . 119 — 1. Health Information Privacy Model Act . 120 — 2. Uniform Health Care Information Act . 120 — b. Individual’s Right of Access . 121 — c. Individual’s Cause of Action for Unauthorized 2. Common Disclosure Restrictions and Their a. What Type of Entity Is Disclosing? . 123 — b. What Type of Health Information Is to Be c. Mandatory Versus Permitted Disclosures . 124 — IV. Professional Organizations and Groups . 125 — 1. American Medical Association . 125 — 2. American Hospital Association . 125 — 3. JCAHO/Joint Commission on Accreditation of B. Other Privacy Protection Guidelines . 126 — Chapter 6.
The European Data Privacy Regime . 127 33
B. The Importance of National Laws . 130 — C. National Regulators and the Article 29 Working Party . 131 — C. Data Controller and Data Processors . 134 — B. Non-EEA Established Entities . 135 — IV. The European Data Protection Principles . 136 — B. Particular Conditions for Sensitive Personal Data . 137 — C. Valid Consent and Explicit Consent . 139 — E-Health, Privacy, and Security Law—2013 Supp. VI. Export of Personal Data Outside the EEA . 143 34 A. Adequate Level of Protection . 144 — 1. European Commission Findings of Adequacy . 144 — 3. Binding Safe Processor Rules [New Topic] . 34 C. Exceptions to the General Prohibition . 147 — D. Personal Data Export Flow Chart . 149 — VII. Administrative Requirements . 150 — X. Consumer Laws and Other Relevant Laws . 155 — Chapter 7.
Information Security and Breach Notification
Under HIPAA and HITECH . 157 43
I. Introduction [Substitute Text] . — 44 A. Information Security Program Development and B. Implementing HIPAA Security Safeguards . 167 — C. HIPAA Security Investigations . 167 45 1. OCR Investigations Providing More Detailed a. Idaho State University [New Topic] . — 46 b. Hospice of Northern Idaho [New Topic] . — 46 d. Alaska Department of Health and Social e. Phoenix Cardiac Surgery [New Topic] . — 48 g. Massachusetts General Hospital [New Topic] . — 49 2. OCR Investigations Providing Less Detailed a. Pharmacy Chain Institutes New Safeguards for b. Large Medicaid Plan Corrects Vulnerability c. Health Plan Corrects Computer Flaw That d. National Pharmacy Chain Extends Protections for PHI on Insurance Code [New Topic] . — 50 e. Dentist Revises Process to Safeguard Medical f. Physician Revises Faxing Procedures to D. HIPAA Security Violation Penalty Risks . 170 51 E. Business Associates and Business Associate Contracts III. HITECH Amendments to HIPAA: Security Implications . 174 — IV. HITECH Security Breach Requirements . 177 55 V. State Security Breach Notification Legislation . 179 — A. The Economic Logic of Information Security Breach B. A Brief History of Information Security Breach C. Analysis of a Representative Information Security 2. The Complexities of Notification . 185 — D. State Security Breach Notification Laws as of Appendix 7-A: Sample HITECH/HIPAA Security Gap Analysis Chapter 8.
Enforcement of the Health Insurance Portability
and Accountability Act of 1996 [Substitute Text] . — 59
III. Investigations, Breach Reports, and Audits . — 67 A. Complaint Process and Compliance Reviews . — 68 C. HHS Audits of HIPAA Compliance . — 71 D. Voluntary Compliance and Resolution Agreements . — 72 IV. HIPAA Civil Monetary Penalties . — 73 C. CMP Limitations and Lenience Provisions . — 76 E. Industry-Wide HIPAA Compliance . — 80 F. Procedures for Imposition of Civil Monetary Penalties . — 80 G. Distinctive Features in the Imposition of Civil Monetary E-Health, Privacy, and Security Law—2013 Supp. 4. Liability for Violations by Agents . — 84 5. Aggravating and Mitigating Factors . — 85 H. Actions by State Attorneys General . — 86 E. Other Potential Theories of Indirect Criminal Liability of Covered Entities and Business Associates . — 94 VI. Enforcement Under Other Federal Statutes . — 95 B. False Claims and False Statements Statutes . — 96 VIII. Compliance: Establishing a Plan to Avoid Enforcement Chapter 9.
E-Health Liability . 251 105
II. Professional Licensure and Credentialing . 254 — B. Penalties for Violating Licensure Laws . 257 — E. Practice of Telemedicine Without Full Licensure . 261 — III. Initiatives Regarding Regulation of Telemedicine . 264 — A. Joint Working Group on Telemedicine . 265 — B. Federation of State Medical Boards . 266 — A. Existence of Physician-Patient Relationship . 268 — C. Informed Consent and the Duty to Disclose . 272 — F. Availability of Insurance for Telemedicine Encounters . 276 — 1. Malpractice Insurance and Gaps in Coverage . 276 — a. “Specified-Risk” or “Specified-Perils” b. “All-Risk” or “Open-Perils” Coverage . 277 — V. International Practice of Medicine . 278 — C. Medicaid and Medicare Reimbursement . 279 — D. International Legal and Licensing Issues . 280 — VI. Electronic Health Information . 281 — A. Physician-Patient Relationship . 282 — Chapter 10. FDA Regulation of E-Health Technology and
Services . 287 107
II. FDA Regulation of Online Activities . 289 108 B. Online Direct-to-Consumer Advertising . 291 109 2. DTC Promotion of Genetic Testing Services . 292 — III. FDA and Electronic Health Records . 293 — A. FDA Authority to Regulate EHR . 293 — C. Increased Scrutiny and Oversight of EHR Systems . 294 — 1. HIT Policy Committee Recommendation . 296 — IV. FDA Regulation of Telemedicine . 297 109 C. FDA Regulation of Mobile Medical Devices . 299 — 2. “Intended Use” of Mobile Medical Devices . 299 — a. “Accessory” and “Component” Devices . 300 — E-Health, Privacy, and Security Law—2013 Supp. E. The FDA and Telemedicine in the Early 2000s . 302 — F. Recent Developments in FDA Telemedicine G. FDA Final Rule on Medical Device Data Systems . 304 — H. Draft Guidance: Mobile Medical Applications . 306 — 2. Classification of Mobile Platforms and 3. Definition of Mobile Application “Manufacturer” . 307 — I. Final Guidance: Mobile Medical Applications 1 Direct Regulatory Oversight [New Topic] . — 112 2. Enforcement Discretion [New Topic] . — 113 J. Future Direction of Telemedicine Regulation K. Collaboration With the Federal Communications A. Structure and Objective of the Initiative . 310 — B. Current Status and Future Plans . 311 115 C. Privacy and Security Concerns . 312 — Chapter 11. Obligations in Response to a Health Care Data
Security Breach . 315 117
III. Risk Assessment [Substitute Text] . — 121 B. Identity of Any Known Recipient . — 124 C. Actual Acquisition or Viewing of Data . — 125 E. Covered Entity Obligations When Probability of IV. Exceptions to the Definition of Breach . 325 128 A. Good-Faith Disclosures Within the Scope of B. Inadvertent Disclosures by Otherwise Authorized C. Information Disclosed Not Reasonably Retained . 328 — D. Disclosures of the Limited Data Set Excluding Certain A. Obligations for Covered Entities When Multiple Entities Transfer PHI and/or Breach Security Requirements . 330 — B. Business Associate Requirements . 331 131 C. Agency Considerations [New Topic] . — 132 VII. Potential Liabilities Created by the HITECH Act . 339 135 VIII. Conclusion [Substitute Text] . — 139 Chapter 12. Due Diligence in E-Health Transactions . 343 141
II. The Nature of Due Diligence and Its Purposes . 345 — III. Standard for Due Diligence Review . 347 — IV. Composition of the Due Diligence Team . 348 — V. Procedure for the Due Diligence Review. 349 — VI. Contents of the Due Diligence Review . 353 142 E. Off-Balance-Sheet Transactions . 356 — F. Implications of Sarbanes-Oxley for the Due Diligence G. Meaningful Use Due Diligence [Substitute Text] . — 142 H. Data Rights and Responsibilities [Substitute Text] . — 144 2. Use of Data Overseas and Restrictions Thereon . — 144 3. Custodial Issues With Medical Records . — 144 I. Due Diligence Requirements for Government Contractor Entities [New Topic] . — 145 1. Anti-Assignment Acts [New Topic] . — 146 2. Valuing Government Contracts [New Topic] . — 146 3. Organizational Conflicts of Interest [New Topic] . — 146 4. Cost Allowable and Indirect Rate Determinations, Audits and Investigations [New Topic] . — 147 5. Risk Associated With Intellectual Property 6. Foreign Operations [New Topic] . — 148 E-Health, Privacy, and Security Law—2013 Supp. VII. Focus of the Due Diligence Review . 358 — D. Capabilities and Liabilities . 364 — VIII. Common Pitfalls in Due Diligence . 365 — IX. Understanding Health Care Entities and Operations . 366 148 B. Accreditation and Certification Issues . 368 — C. Protected Health Care Information . 368 148 E. Conditions for Reimbursement . 370 — F. Research or Grant Considerations . 370 — G. Obligations to Provide Notice. 370 — X. Laws and Regulations Specific to the Health Care Industry. 370 — Chapter 13. Contracts in the Digital Age: Adapting to
Changing Times . 377 151
III. The Relevant Statutes and Principles of Contract Law . 385 155 A. Electronic Signatures in Global and National B. Uniform Electronic Transactions Act (UETA) . 389 156 C. Uniform Computer Information Transactions Act IV. Litigation: Courts Coping With a New Means of V. HIPAA/HITECH Business Associate Agreements A. Business Associate Agreements . — 157 B. Expanded Scope of “Business Associate” . — 158 C. Obligations of Business Associates . — 161 D. Effective Dates for Compliance . — 164 Chapter 14. Evaluating Antitrust Concerns in the Electronic
Marketplace . 425 165
C. Antitrust Issues in the E-Commerce Setting . 429 — II. Collaborations With Competitors . 430 166 1. Inherent Risks of Sharing Information . 432 — 3. Heightened Standard for Circumstantial Evidence . 436 — III. Legal Analysis of Vertical Integration Issues . 439 — A. Competitor Control of Vertically Related Entity . 439 — B. Practical Limitations of the Theory . 441 — C. Most-Favored-Nation Requirements . 445 166 A. Significance to Electronic Health Care . 447 — C. Health Care Experience With Private Standard-Setting . 450 — Chapter 15. The Intersection of Health Law and Intellectual
Property Law . 455 169
2. Health Information Technology Standards . 462 — 4. Strengthened Privacy Rules and Breach C. Standards for Privacy of Individually Identifiable Health 3. Who Is Subject to the Privacy Rule . 465 — E-Health, Privacy, and Security Law—2013 Supp. b. Permissible Disclosures for Public Health, Law Enforcement, and Oversight Purposes . 467 — c. Disclosures for Research Purposes. 467 — d. Disclosures for Marketing Purposes . 468 — e. Minimum Necessary Requirement . 468 — 5. Administrative Safeguards of the Privacy Rule . 469 — 2. Abbreviated New Drug Application . 470 — 3. Generic Drugs and Patent Infringement . 471 — 5. Patent Term Extension and Market Exclusivity for III. Copyrights and Health Law . 473 172 B. Exclusive Rights of Copyright Ownership . 474 — C. Derivative Works and Substantial Similarity . 474 — G. Section 117 of the Copyright Act: Computer Programs . 476 — H. Medical Materials and Copyright Law . 476 172 1. Protection for Medical Documents, Images, and Commercial Labels [Amended Topic] . 477 172 2. European and U.S. Database Protection . 477 — I. Proprietary Databases and Copyright . 478 — IV. Impact of Computer-Related Legislation on Medical Record B. Health Insurance Portability and Accountability Act . 479 — C. Computer Fraud and Abuse Act . 480 — D. Digital Millennium Copyright Act . 482 173 E. Other Relevant Computer Privacy Acts . 485 — 1. Electronic Communications Privacy Act . 485 — 2. Semiconductor Chip Protection Act . 485 — 3. Children’s Online Privacy Protection Act . 486 — V. Medical Codes and How They Affect Privacy . 486 — D. Medical Codes and the Re-identification Problem . 491 — VI. Trademark—Protecting Indicia of Ownership . 493 — A. Trademarks in General and Identification With a 2. How Trademarks Can Protect a Surgical Product or VII. Patents and Patent Law for the Health Attorney . 502 173 A. Patent Drafting, Patent Prosecution, and Patent Rights 1. The Parts of a Patent Application . 503 — 3. Patent Rights and Enforcement . 506 — B. The Patent Statutes in Detail and Some Commonly Misunderstood Concepts of Patent Law . 507 173 1. The Four Requirements for Obtaining a Patent: “Idea” Versus “Invention” . 507 — 2. Section 112, First Paragraph: Written Description and Enablement [Substitute Text] . — 173 3. Section 101: Statutory Class of the Invention . 508 174 4. Section 102: Novelty Versus Originality . 509 174 5. Unobviousness and Invalidity . 510 — C. Bringing a Product to Market . 512 — 2. Filing and Acquiring Patents . 514 — D. Nuances in the Medical Field . 516 174 1. Enablement and Written Description Requirements for Claiming Multiple Configurations of Drugs and Materials [Substitute Text] . — 174 2. HIPAA Regulations and Patent Claim Strategy . 519 — VIII. Trade Secrets—Protecting Essential Information . 521 — C. Establishing Ownership of a Trade Secret . 523 — 1. The Nature of the Information . 523 — 3. Proper and Improper Means of Acquisition of a IX. Preliminary Transactional Agreements and Proprietary A. Modern Applications in the Health Care Industry . 524 — 1. Protected Health Information and Electronic ii. Warranties in Technology Transfers . 528 — iii. Regulatory Compliance Covenants . 528 — E-Health, Privacy, and Security Law—2013 Supp. c. Health Information Exchange and State 2. Proprietary Rights in Product Development . 531 — B. Suggested Drafting Provisions for the Creation of Effective Nondisclosure Agreements . 533 — 1. Access to Confidential Information . 533 — 2. Restricted Use of Confidential Information . 534 — 3. Nondisclosure of Confidential Information . 534 — 4. Nonsolicitation of Customers and Employees. 534 — 5. Reservation of Proprietary Rights . 534 — X. Managing Exposure to Intellectual Property Litigation . 534 — 1. Identifying Potential Rights Holders . 535 — 2. Identifying the Scope of Existing Rights . 536 — 3. Determining How to Proceed: Licenses, Workarounds, and Declaratory Relief . 536 — B. Strategic Intellectual Property Acquisitions . 538 — 1. Strategic Intellectual Property Filings . 538 — 2. Cross-Licensing Agreements and Patent Pools . 539 — C. Corporate Policies and Employee Education. 540 — 2. Policies Addressing Concerns Relating to 3. Ensuring Policies Are Properly Implemented . 543 — D. Minimizing Exposure to Unavoidable Intellectual 2. Industry and Government Outreach . 544 — 3. Alternative Dispute Resolution. 545 — Chapter 16. Allocation and Mitigation of Liability. 547 179
1. Consumer-Oriented E-Content Providers . 549 181 a. Unauthorized Use of Copyrighted Material . 550 — b. Unauthorized Use of a Trademark or Service 2. Provider-Oriented E-Content Providers . 563 — 1. Consumer-Oriented E-Product Providers . 564 181 b. Privacy and Data Security Issues—Excluding i. State Data Breach Notification Statutes . 569 — ii. PCI Data Security Standard . 569 — iii. Federal Trade Commission Section 5 Court’s “Inherent Powers” [New Topic] . — 181 2. Provider/Business-Oriented E-Product Providers . 573 — a. Employee Access to Health Insurance Accounts 573 — 1. Unauthorized Use of Copyrighted Material . 574 — 2. Unauthorized Use of Trademark/Service Mark . 575 — 3. Infringement of Proprietary Rights in Technology . 575 — 5. Liability for Erroneous Information/Defamation . 576 — 1. Unlicensed/Unauthorized Practice of Medicine . 577 182 3. Technology Performance Issues . 578 — 5. FDA Regulation of Telemedicine . 579 — 1. Privacy and Data Security—HIPAA and HITECH . 580 185 2. Medicare and Medicaid Incentive Programs and Achievement of Meaningful Use . 582 — 3. Allocation of Rights and Obligations Among HIE III. Allocation and Mitigation of Risk . 585 — A. The Risk: Unauthorized Use of Copyrighted Material . 585 — 1. Before a Claim Occurs—Mitigation. 585 — 2. Before a Claim Occurs—Allocation . 586 — 3. When a Claim Occurs—Mitigation . 587 — B. The Risk: Unauthorized Use of a Trademark or Service 1. Before a Claim Occurs—Mitigation. 588 — 2. Before a Claim Occurs—Allocation . 588 — 3. After a Claim Occurs—Mitigation . 589 — C. The Risk: Publication of Erroneous or Defamatory 1. Before a Claim Occurs—Mitigation. 590 — 2. Before a Claim Occurs—Allocation . 590 — 3. When a Claim Occurs—Mitigation . 590 — D. The Risk: Unlicensed or Unauthorized Practice of E-Health, Privacy, and Security Law—2013 Supp. 1. Before a Claim Occurs—Mitigation. 591 — 2. Before a Claim Occurs—Allocation . 592 — E. The Risk: E-Prescribing and Malpractice . 592 — 1. Before a Claim Occurs—Mitigation. 592 — 2. Before a Claim Occurs—Allocation . 593 — F. The Risk: Privacy and Data Security Compliance . 593 — 1. Before a Claim Occurs—Mitigation. 593 — 2. Before a Claim Occurs—Allocation . 594 — 3. When a Claim Occurs—Mitigation . 595 — Chapter 17. Discovery and Admission of Electronic
Information as Evidence . 597 187
II. Background of the Development of Rules and Standards for III. Technology Implications for Electronic Evidence: An Electronic Medical Record Information Ecosystem . 601 — IV. The 2006 Amendments to the Federal Rules of Civil A. Spoliation and the Obligation to Preserve ESI . 606 — C. Inadvertent Disclosure of Privileged or Protected A. Electronic Signatures and Electronic Medical Records . 614 — B. Electronic Health Records and Health Information Chapter 18. Legal Ethics and E-Health . 621 189
II. Use of Technology in the Practice of Health Law . 623 191 A. Attorney E-Competence in Managing Technology . 623 191 1. Confidentiality and Privacy of Electronic a. Misdirected Facsimiles or E-Mail . 624 — b. Managing Compliance with HIPAA and the 2. Security of Electronic Information . 625 193 c. Internet E-Mail and Encryption . 625 — ii. Waiver of Attorney-Client Privilege . 626 — i. Hard Drive or Remote Disk Drive Use . 627 — i. Security Compliance [New Topic] . — 193 ii. Disaster Planning [New Topic] . — 194 a Affecting the Practice of Law . 630 195 5. Use of Cellular Phones, PDAs, and Other Devices . 631 — 7. Virtual Law Office [New Topic] . — 196 B. Ethical Issues With Technology Use. 631 197 f. Use of Social Media by Attorneys—Use 3. Corporate Family Conflict Issues . 635 — C. Other Ethical Considerations . 635 200 2. Researching Potential Jurors or Witnesses . 636 200 4. Use of Online Coupons for Legal Services III. Knowledge of Client Misconduct . 637 — B. Ethics Rules on Confidentiality . 640 — 2. Assisting a Client’s Crime or Fraud . 640 — b. Crime/Fraud Exception to the Attorney-Client 4. Representing the Organization . 642 — a. “Climbing the Corporate Ladder” . 642 — E-Health, Privacy, and Security Law—2013 Supp. b. Preventing Misunderstandings About Who c. Causing a Constituent to Be Fired . 643 — 2. Model Rule 2.2 and the Ethics 2000 Commission . 644 — 4. Joint Confidences and the Ethics 2000 6. Joint Representation in Commercial Negotiations . 646 — 7. “Unintentional” Joint Representation . 647 — 8. Litigation and Joint Representation . 648 — C. Partnerships and Limited Partnerships . 651 — D. Conflicts and Malpractice Liability . 653 201 Appendices .
Appendix A:
Internet Health Sites [Substitute Text] . — 205
Appendix B:
Government Agencies [Substitute Text] . — 241
Appendix C:
E-Health Glossary [Substitute Text] . — 255
Appendix D:
Health Insurance Portability and
Accountability Act (HIPAA) Glossary
[Substitute Text] . — 281
Appendix E:
Documenting the Deal [Forms] . 767 335
E-1 HIPAA Business Associate Agreement Form E-2.1 Example of Resolution Agreement and Corrective Action Plan (Without External Monitoring) . 787 — E-2.2 Example of Resolution Agreement and Corrective Action Plan (With External Monitoring) . 803 — Appendix F:
Selected HIPAA Materials . 827 347
F-1 Example of HHS Office for Civil Rights Resolution Agreement and Corrective Action Plan (2012) . F-2 HHS, Office of Civil Rights, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule F-3 HHS, Educational Materials for State Attorney General Educational Event on Enforcement of Health Privacy

Source: http://www.bna.com/uploadedfiles/Content/Products/Books/ehealthDtoc.pdf